Join Log in
Score:0
avatar Server

Postfix bar authentication from internet

gf flag
Waslap

I have a Postfix e-mail server which should allow internal users to send and receive mail via it.

The sending should happen only when a user succeeds in a VPN connection which provides him/her with non-routable IP address on my LAN. Sending from the internet should not be allowed.

At the moment I am faced with a situation where attackers try to authenticate from the internet in an attempt to gain access to a mail account which presumably would allow them to send nefarious mail from a hi-jacked account. What happens now is that when they guess a user's account that does exist they try to brute force it. My authentication in Postfix is outsourced to dovecot which in turn contacts IPA. What happens now is that IPA locks out the said user temporarily after every so many failed brute force attacks causing the real user by that name denial of service.

Ideally I would want Postfix not even to respond to the SMTP command sequence trying to authenticate a user from the internet but immediately answer in the negative. It should only allow delivery of mail to us from the internet. Is there a way to configure this ?

35
0 + 0
anx avatar
fr flag
anx
Since your question does not contain the specifics of your VPN setup and whether there are also messages sent from within your VPN but without authentication, my answer may or may not be appropriate. Feel free to [edit] your question to add example log lines to clarify what postfix logs when a message is submitted by one of your legitimate users.
0
Reply
anx avatar
fr flag
anx
Do not forget that bots might also try Dovecot IMAP, so do check if Postfix is not the only place where you want to refuse service to outsiders.
0
Reply
Score:2
anx avatar Server
fr flag
anx

If the abused auth feature is not needed otherwise, you can configure Postfix to not expose that feature to the wider internet. This is usually done by editing your main.cf and master.cf files.

First, read your logs. I think your legitimate mail submissions are distinguishable from internet mail receipt via three methods, so you can limit your service to just that. Verify that:

  1. They always authenticate,
  2. they always use specific ports dedicated to mail submission,
  3. and they always connect via the VPN, not via the internet address.

If that is true, you can easily ensure that authentication is only available to that limited subset of connections:

Step 1: In master.cf, you find the services where you so want authenticated mail submission and only for those turn authentication on.

Typically, you only have one or two such services, easily identifiably from the first column: smtps, possibly additionally submission.

Optionally bind it to the not publicly routed address your clients in VPN see your server at (I used fd00:1337::1:5 in my example), if they should not be accessible from the internet.

# line below is the where you prepend the network address
fd00:1337::1:5:smtps      inet  n       -       n       -       -       smtpd
 -o example_other=option
 -o more_options=example
 -o smtpd_sasl_auth_enable=yes
# line above is the option you add. note the leading space
# line below is the where you prepend the network address
fd00:1337::1:5:submission inet  n       -       n       -       -       smtpd
 -o example_other=option
 -o more_options=example
 -o smtpd_sasl_auth_enable=yes
# line above is the option you add. note the leading space

Since this means postfix cannot properly bind the ports if it is started before your VPN setup has setup the internal IPs, this may mean that you need to add a service dependency (could be a one-liner, depends on your system/distribution). You are not done until you have verified that your new configuration works after a reboot.

Step 2: In main.cf, you turn of authentication for all smtpd instances
# it defalts to off
smtpd_sasl_auth_enable = no

Now, except for the specific services for which it is explicitly enabled above, postfix will not announce supporting authentication. Clients that try anyway will be refused service by postfix, leaving your authentication backend unbothered.

0 + 0
gf flag
Waslap
Thanks, I am not famiilar with the adressing fd00:1337::1:5. Could you elaborate ?
0
Reply
anx avatar
fr flag
anx
@Waslap Its a placeholder. What I *suspect* your setup may be is that your mail server has a fixed name or address in your private network. That name/address would likely look like `mailserver.internal.example.org`, `fd:*`, `192.168.*` or `10.*`. If true, you could tell postfix to bind those services to such name/address, making its exclusive accessibility simple and (for future administrators) obvious.
0
Reply
anx avatar
fr flag
anx
@Waslap If you are not certain about the exact consequences of people joining the VPN, note down the IP the clients see the server at (resolve whatever name is configured in their mail client) and the IP the server sees the clients at (logs).
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.